🐑 Volt Typhoon targets Guam critical infrastructure

Written By Jeff Nantin

Microsoft uncovers state-sponsored cyber espionage campaign

Microsoft has recently uncovered a stealthy and targeted malicious activity aimed at critical infrastructure organizations in the United States. The attack is carried out by Volt Typhoon, a state-sponsored actor based in China that usually focuses on espionage and information gathering. Microsoft believes with moderate confidence that this Volt Typhoon campaign aims to develop capabilities that could disrupt critical communications infrastructure between the United States and the Asia region during future crises.

Volt Typhoon has been active since mid-2021 and has targeted critical infrastructure organizations in Guam and other parts of the United States. The affected organizations come from various sectors, including communications, manufacturing, utilities, transportation, construction, maritime, government, information technology, and education. The observed behavior suggests that the threat actor intends to perform espionage and maintain access without being detected for as long as possible.

To achieve their objective, the threat actor puts strong emphasis on stealth in this campaign, relying almost exclusively on living-off-the-land techniques and hands-on-keyboard activity. They issue commands via the command line to collect data, including credentials from local and network systems, put the data into an archive file to stage it for exfiltration, and then use the stolen valid credentials to maintain persistence. In addition, Volt Typhoon tries to blend into normal network activity by routing traffic through compromised small office and home office (SOHO) network equipment, including routers, firewalls, and VPN hardware. They have also been observed using custom versions of open-source tools to establish a command and control (C2) channel over proxy to further stay under the radar.

Microsoft has directly notified targeted or compromised customers, providing them with important information needed to secure their environments. To learn more about Microsoft's approach to threat actor tracking, read Microsoft shifts to a new threat actor naming taxonomy.

For more information, read Microsoft's blog post.

Why it matters?

Guam is home to three American military bases, and the western Pacific island would play a crucial strategic role if the U.S. needed to respond to any potential Chinese military attack on or blockade of Taiwan. Microsoft detected a hacking operation whose likely aim is to "disrupt critical communications infrastructure between the United States and Asia region during future crises." This was reported in a blog post by Microsoft on Wednesday.

A joint cybersecurity advisory was issued on May 24, 2023 by the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and the Australian Cyber Security Centre (ACSC) to warn of a China-sponsored cyber actor that is using built-in network tools to evade detection. The actor, which is believed to be operating from the People's Republic of China (PRC), has been observed targeting a wide range of organizations in the United States and Australia, including government agencies, critical infrastructure entities, and businesses.

The actor's primary tactics, techniques, and procedures (TTPs) include:

  • Using built-in Windows tools, such as wmic, ntdsutil, netsh, and PowerShell, to perform their objectives. This allows the actor to blend in with normal Windows system and network activities, avoid endpoint detection and response (EDR) products, and limit the amount of activity that is captured in default logging configurations.

  • Leveraging compromised small office/home office (SOHO) network devices as intermediate infrastructure to obscure their activity by having much of the command and control (C2) traffic emanate from local ISPs in the geographic area of the victim.

  • Selectively clearing Windows Event Logs, system logs, and other technical artifacts to remove evidence of their intrusion activity.

The advisory provides a number of recommendations to help organizations protect themselves from this threat, including:

  • Implement strong security controls, such as multi-factor authentication, to make it more difficult for attackers to gain access to systems.

  • Monitor for suspicious activity, such as unusual network traffic or changes to system configurations.

  • Keep systems up to date with the latest security patches.

  • Train employees on cybersecurity best practices.

Organizations that believe they may have been targeted by this actor should contact CISA at 1-800-220-0001 or visit the CISA website at www.cisa.gov.

The Importance of Protecting Critical Infrastructure with Operation Focused Defense

The recent Volt Typhoon attack highlighted the vulnerability of current cybersecurity solutions for critical infrastructure, which are susceptible to threats from both external and internal sources. Operational Technology and Industrial Control Systems (OT/ICS), the systems and technologies that control and operate critical infrastructure such as power grids, water treatment plants, and transportation systems, are particularly vulnerable, as any attack on them can cause significant economic losses and take a longer time to recover.

To defend against such cyber attacks, organizations must prioritize detecting unexpected changes in devices and systems to eliminate their potential to cause problems. This involves unique identification of each device and continuous analysis of telemetry data to detect changes and respond quickly.

Traditional IT Endpoint Detection and Response methods, a cybersecurity approach that focuses on identifying and responding to threats in real-time, are not suitable for OT/ICS environments. These methods do not account for unique operational behavior and can cause interruptions by affecting the operation itself.

Operation Focused Defense is a new approach that is specifically engineered for OT/ICS environments. It identifies each device and monitors changes in its normal operation to detect unexpected alterations and abnormal behavior in real-time through deviation and behavioral analysis. These changes are suppressed before they can have any impact, and security teams can mitigate the risks of cybersecurity attacks.

To ensure the availability, stability, and security of operations in critical infrastructure, organizations must adopt an Operation Focused Defense mindset. This approach focuses primarily on detecting changes, especially unexpected ones, to prevent interruptions due to system failures, unauthorized changes, or security incidents, ensuring consistent delivery of products and services to customers. By doing so, organizations can safeguard against cyberattacks and ensure the continuity of critical infrastructure operations.

Resources

Jeff Nantin
Previous

🐑 Ransomware gangs go small
Next

🐑 PhaaS - Phishing-as-a-Service; RaaS - Ransomware-as-a-Service